2b916be356227dd894fc71f8640e86a6d2774df6b33784fdf5cbbb8446eb4629

General

Target

82c523c25261a0bbbce7272235f51a30_NeikiAnalytics.exe
Size

12KB
MD5

82c523c25261a0bbbce7272235f51a30
SHA1

c91470e8c9e0d56cd7c91709241c975d8b383456
SHA256

2b916be356227dd894fc71f8640e86a6d2774df6b33784fdf5cbbb8446eb4629
SHA512

84cdba36e647be462bd4b4f16c90ecd62a38841b93162e28152b8bd89fd2e920bc5f2441b976941d7582159103cfd4b08db366f39ac5bc569d205e8580d4fec2
SSDEEP

384:kL7li/2zMq2DcEQvdQcJKLTp/NK9xaMc:ygMCQ9cMc

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	82c523c25261a0bbbce7272235f51a30_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
5068	tmp4E7F.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
5068	tmp4E7F.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1148	82c523c25261a0bbbce7272235f51a30_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 4080	1148	82c523c25261a0bbbce7272235f51a30_NeikiAnalytics.exe	86
PID 1148 wrote to memory of 4080	1148	82c523c25261a0bbbce7272235f51a30_NeikiAnalytics.exe	86
PID 1148 wrote to memory of 4080	1148	82c523c25261a0bbbce7272235f51a30_NeikiAnalytics.exe	86
PID 4080 wrote to memory of 1212	4080	vbc.exe	89
PID 4080 wrote to memory of 1212	4080	vbc.exe	89
PID 4080 wrote to memory of 1212	4080	vbc.exe	89
PID 1148 wrote to memory of 5068	1148	82c523c25261a0bbbce7272235f51a30_NeikiAnalytics.exe	90
PID 1148 wrote to memory of 5068	1148	82c523c25261a0bbbce7272235f51a30_NeikiAnalytics.exe	90
PID 1148 wrote to memory of 5068	1148	82c523c25261a0bbbce7272235f51a30_NeikiAnalytics.exe	90

C:\Users\Admin\AppData\Local\Temp\82c523c25261a0bbbce7272235f51a30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\82c523c25261a0bbbce7272235f51a30_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wzasifmd\wzasifmd.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50FE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9EE3AE9D4792439EA837659351E29569.TMP"
    3⤵
    PID:1212
- C:\Users\Admin\AppData\Local\Temp\tmp4E7F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4E7F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\82c523c25261a0bbbce7272235f51a30_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
0da6623e576193254e58434a9edd0c6e

SHA1
b5dbdde35bb55f3eaaa16b23f9674e8119772212

SHA256
ee3e0e4c400bc1c6a4d5aae76e6d44b7b5ede8751d9a5d6203d3580bf3c374e3

SHA512
7cf4c77bb35583ca52c33a528a2e04da2956832577436bb99fb676f81dbc3e8bcd2dcdce2ee1874c569d407b82ec6a72f1e5b6c5ad17b4c37a50433726f9b778

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES50FE.tmp

Filesize
1KB

MD5
188de38e46a71f2d3e5799a510502b3c

SHA1
e4fedf66b836ef2fa428cc96fbd8f28ae2c01f60

SHA256
40b9977a05aab2546c08230e15e2e36ae691705790791dc9cb99c02ddf6983b7

SHA512
8e548570780cea22bd5f563d696117dcbacf8fc2781916d8b0163ee3ec1e8bfa7b11e18d5291db183520766978df7a9b99582e17c45f3ecba6dc9a9c49f605a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4E7F.tmp.exe

Filesize
12KB

MD5
330cc651ba6aa48d6dc34c9a54fc1807

SHA1
70ad48dcb172fcd28a6ef3e8e77ab4cbdfdff9d5

SHA256
591c67def592c56e9465a3eb8d7ff13b50c960c52301d7f943164c9492524d75

SHA512
de2d3d6e0b8e2c8fee4e1c2b786b6f6088ccaec2b9aecb89de56fe602021aab79103cfaa6dd362b687ae99341bed457228eb8056819852580cf06a33ea742ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9EE3AE9D4792439EA837659351E29569.TMP

Filesize
1KB

MD5
b8fa43cf6f530e62f8ab25c0388796ab

SHA1
3a43da292bb000519113b95870372b8ec6e303e6

SHA256
4290f90df1c51e21679849477206661c5c631a87f5c9a0ac483962b3a33e3694

SHA512
c62bcead92329a5305f40fe1b9cd760b570adf7488d39b34b50de83fc66cc371ccd27bd375b5446e7c3aab204adc4a8be385202084cae944c6019213397b1e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzasifmd\wzasifmd.0.vb

Filesize
2KB

MD5
feea7bf0777d825ff6f463417ffe3118

SHA1
13b416c2bcaf75f47a53bdd01ef2b5bed716536c

SHA256
349ed88a0cfdd7c5274f43c931c87c5cf6ed9fc9c032d660435155361ffebd5e

SHA512
420f2676b52c2a331ebc9f2fc3a761a0429f421970646e8c968cc9b94fc1558d4bf614f42278a317826fdc78b51647ce3b430e135879b5ee2da471831d46d5e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzasifmd\wzasifmd.cmdline

Filesize
273B

MD5
34f4a0e5e2ab815f5c92141cd0500ec6

SHA1
d3d5f6de1f5a6e0d386269d8c71def03bea0e412

SHA256
a7b351d3cda4ca483eb0a80fb3f498c0d70856cbf05660e359553f1f60183818

SHA512
75a2ba79618e1401bcb164e5a5a7e75c98fc2c26fee3a9750126bcbe8f57d2a5a2cc0455c54a2fce2c8c3e6de4f75df6dd459bd8559a46716b7dbab7e83db329

Download Submit
memory/1148-0-0x0000000074E4E000-0x0000000074E4F000-memory.dmp

Filesize
4KB

Download
memory/1148-8-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/1148-2-0x0000000004FB0000-0x000000000504C000-memory.dmp

Filesize
624KB

Download
memory/1148-1-0x0000000000630000-0x000000000063A000-memory.dmp

Filesize
40KB

Download
memory/1148-26-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/5068-24-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/5068-25-0x0000000000C20000-0x0000000000C2A000-memory.dmp

Filesize
40KB

Download
memory/5068-27-0x0000000005AF0000-0x0000000006094000-memory.dmp

Filesize
5.6MB

Download
memory/5068-28-0x00000000055E0000-0x0000000005672000-memory.dmp

Filesize
584KB

Download
memory/5068-30-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing